Connecting CloudGuard Controller

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 22 minutes
Difficulty
Beginner
CEU/CPE
2
Video Transcription
00:05
>> Welcome to the Check Point Jump Start Training.
00:05
How to deploy a CloudGuard network security
00:05
and threat prevention product lab.
00:05
Exercise 5, connecting the CloudGuard controller.
00:05
In the previous exercise,
00:05
we deployed a web server in the web network.
00:05
We created a route table and we added three routes.
00:05
[MUSIC] We then created
00:05
a firewall policy and
00:05
that rule base to be able to access the web server.
00:05
This fifth and final exercise,
00:05
we're going to activate
00:05
the CloudGuard controller on the Management Station.
00:05
Once we have activated the CloudGuard controller,
00:05
we are going to import the Azure Cloud resources into
00:05
the Management Station so that we
00:05
can then use the cloud resources,
00:05
the cloud identities in a firewall rule base.
00:05
Let me show you how.
00:05
Let's get started.
00:05
Open that SmartConsole,
00:05
go to the object menu,
00:05
select a new host.
00:05
Let's call this host a Local Host.
00:05
It's going to represent the Management Station.
00:05
We're going to use IP address of the loopback,
00:05
which is 127.0.0.1.
00:05
Select Okay.
00:05
Now, let's go and select the gateway object of CGIGW,
00:05
the firewall Cloud guard object.
00:05
Here we want to enable the identity awareness blade,
00:05
which the firewall will use
00:05
to get the identities from the Management Station.
00:05
Let's select this option.
00:05
The deployment wizard will pop up.
00:05
I really don't want the wizard,
00:05
but we need to select something to get past this wizard.
00:05
Let's select the terminal server
00:05
and uncheck the AD Query option.
00:05
Select "Next". Select,
00:05
"I don't want to configure Active Directory".
00:05
Select "Next".
00:05
Now let's finish.
00:05
The reason I went through the wizard is to get
00:05
the identity awareness tab. Let's select it.
00:05
As I mentioned, I really did not
00:05
need the terminal server.
00:05
I only selected it to get past the wizard.
00:05
Now let's uncheck it.
00:05
What I really wanted to enable was Identity Web API,
00:05
but it was not an option during the wizard.
00:05
Let's select it now.
00:05
We also need to configure some settings parameters.
00:05
Select Settings.
00:05
Select the green icon to add a client.
00:05
Let's select the Local Host object that we just created.
00:05
Select Okay and select Okay again.
00:05
Say yes to accept the URL change.
00:05
Again, select Yes.
00:05
You want to keep the change that
00:05
multiple objects have the same IP address.
00:05
Let's install the policy,
00:05
then Publish and Install.
00:05
It's publishing the changes to the Management Station.
00:05
Let's install the policy to the firewall.
00:05
Let's view the details.
00:05
Now it's installing the new policy to the firewall.
00:05
This new policy will turn on
00:05
the identity awareness process on the gateway.
00:05
We're almost there.
00:05
Policy push is complete.
00:05
Let's close this.
00:05
The identity awareness process
00:05
is now setup and ready to get
00:05
the cloud identities from
00:05
the Management Station using the identity awareness API.
00:05
The controller process that
00:05
is running on a Management Station will
00:05
get its identities from
00:05
the Azure Cloud using the cloud APIs.
00:05
Remember, we turned on
00:05
the CloudGuard controller on
00:05
a Management Station in lab 2,
00:05
[MUSIC] but we never really configured the controller.
00:05
How does the Management Station get
00:05
the identities from the Azure Cloud?
00:05
Well, that's what the management
00:05
controller process will do.
00:05
The controller process will get identities
00:05
from the Azure Cloud using Azure APIs,
00:05
then the controller on the Management Station will feed
00:05
this information to the firewall
00:05
using identity awareness APIs.
00:05
Next, I'm going to show you
00:05
how to configure the controller to
00:05
communicate to the Azure Cloud and
00:05
get the cloud identities using cloud APIs.
00:05
We need to create a new object,
00:05
a very special object.
00:05
Select New, More.
00:05
Select Server, select Data Center.
00:05
The data center object is
00:05
a very special object that we use with CloudGuard.
00:05
You can see all the different
00:05
cloud versions that we support,
00:05
both for the public and private clouds.
00:05
In this case, let's select
00:05
the Microsoft Azure data center object.
00:05
When we click on it,
00:05
we get the new Microsoft Azure object.
00:05
We need to fill in the details.
00:05
Let's name this object the Azure-DC.
00:05
There are two ways to authenticate
00:05
this controller object to the Azure Cloud using
00:05
either the service principle authentication or
00:05
using the Azure Active Directory user authentication.
00:05
You can use the service principle if
00:05
you have the information from your cloud provider.
00:05
But for me, I'm going to use the username and password.
00:05
Let's fill in all the details.
00:05
Once all the correct details are completed,
00:05
select Test Connection,
00:05
and it works perfectly.
00:05
We have a solid communication connection from
00:05
the controller running on
00:05
a Management Station to the Azure Cloud.
00:05
>> Let's publish this change.
00:05
This will save it in the database.
00:05
Changes are being saved.
00:05
Now, let's verify if we can now
00:05
see the Azure Cloud objects in a rule based.
00:05
Go to the Security and Policy tab.
00:05
We're going to test this using a rule.
00:05
Let's add a rule. Select, "Add Rule" above icon.
00:05
Let's called this rule Web Outbound.
00:05
Select Source, select Import,
00:05
select Data Centers,
00:05
select the Azure-DC,
00:05
which is the Azure data center object
00:05
that we just created,
00:05
and we just authenticated.
00:05
Perfect. We can now see the Cloud resource objects.
00:05
Look, here is
00:05
the backend subnet object that we
00:05
created in Azure Cloud in Exercise 1.
00:05
Here is the frontend subnet object
00:05
that we also created in Exercise 1.
00:05
Here is the CloudGuard Management station object, CPMNG.
00:05
Also, we see the CGI gateway object,
00:05
which is the CloudGuard gateway.
00:05
You can search all the Cloud resources in a few ways.
00:05
You can search by network subscriptions in
00:05
case you have other Azure accounts or subscriptions.
00:05
You can search the Cloud resources
00:05
by Network Security Groups.
00:05
Look here, you can even search by tags.
00:05
Remember I said, when we created
00:05
the Cloud resources that we could
00:05
add tags if we wanted to.
00:05
Well, if you had added tags,
00:05
you can search the tag name here.
00:05
Let's go to the virtual machines.
00:05
Here is the web virtual machine
00:05
that we created in Exercise 4.
00:05
Let's select it.
00:05
Let's change now the action to
00:05
accept and the tracking to log.
00:05
Also, I want to enable Outbound NAT.
00:05
Let's select a gateway object, the CGIGW.
00:05
Let's go to the NAT tab,
00:05
and we select "Hide internal networks
00:05
behind a gateways external IP address".
00:05
This NAT's all internal IP addresses,
00:05
it's a very handy and a simple way to do Nating.
00:05
Select "Okay".
00:05
Yes, again,
00:05
to confirm the warning.
00:05
Let's push this policy.
00:05
Publish and install.
00:05
Every time you make a change,
00:05
you have to publish before you can install.
00:05
Now, let's complete the install, view the details.
00:05
The details view and gives you
00:05
a good view of status and any errors if any.
00:05
Good, policy is installed.
00:05
Close this dialogue box.
00:05
Now I want to test this rule that we just created.
00:05
Let's go back to the Azure Cloud.
00:05
I want to select the web virtual machine.
00:05
Let's open a serial console on the web virtual machine.
00:05
It takes a few seconds to get console access.
00:05
Let's login with our username and password.
00:05
Now let's ping Google.
00:05
Ping 8.8.8.8.
00:05
We can get ICMP echo replies.
00:05
Great. We're able to ping Google from the web server.
00:05
This means that both our firewall rules and
00:05
NAT rules and also
00:05
our routing tables are working as expected.
00:05
Now, let's exit this.
00:05
Let's go back to the logs.
00:05
Let's look for ICMP packets to Google.
00:05
Let's use a filter.
00:05
The source will be the web server, 10.0.2.4.
00:05
There was a lot of traffic.
00:05
I'm searching for a destination of
00:05
Google and service of ICMP.
00:05
Here is one. Let's click on it.
00:05
Notice the source is myweb,
00:05
10.0.2.4, and the destination is 8.8.8.8.
00:05
That's Google's IP.
00:05
On the NAT side, Xlate is the CGIGW,
00:05
external IP of 10.0.0.5.
00:05
That's the gateway, external IP on a frontend subnet.
00:05
Now let's close this log.
00:05
Now that brings us to the end of this exercise.
00:05
Before exiting, let's recap once again.
00:05
What we did in this lab.
00:05
In this lab, we configured the controller.
00:05
We first enabled Identity Awareness Blade on the gateway.
00:05
We use that Identity Awareness Web API Identity method.
00:05
We created a CloudGuard data center object.
00:05
We authenticated the data center
00:05
object to the Azure Cloud.
00:05
Then we verified that the connection was successful.
00:05
We create a rule in order to test
00:05
the Azure CloudGuard data center connector object.
00:05
In a source of the rule,
00:05
we're able to retrieve the Azure Cloud resources.
00:05
We added the web virtual machine as
00:05
a source and to go to any destination over any service.
00:05
We pushed a policy,
00:05
then we test it by pinging Google from the Web server.
00:05
That brings us to the completion of Exercise 5.
00:05
This not only ends this exercise,
00:05
but also ends this lab.
00:05
I sincerely hope that you
00:05
found this information useful in
00:05
understanding the CloudGuard Network Security
00:05
and Threat Prevention product.
00:05
I hope to see you again in
00:05
future Check Point Jump Start training videos.
00:05
Until then, bye for now.